From Obstacle To Opportunity

Mutual of Omaha Insurance Co. decided that 2004 would be the year to significantly increase its e-mail sales and marketing efforts. The e-mail program would be part of a comprehensive Internet marketing strategy that would enable the insurer to generate sales for such products as life insurance, accidental death and dismemberment, hospital indemnity and medical supplement.In the big picture, the electronic marketing effort was just a fraction of the Omaha, Neb.-based insurance and financial services giant's ambitious multimedia marketing strategy, which includes television, telemarketing and direct mail.

But as the New Year dawned, so did a new federal regulation-the CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) Act. The law was designed to prohibit companies from sending fraudulent e-mails, as well as transmitting e-mails after objections from recipients.

According to wide-ranging estimates, so-called "spam" e-mail accounts for between 50% to 85% of all e-mail traffic. To combat the torrent of bogus e-mail, CAN-SPAM requirements put the onus on e-mail senders to carry out various tasks, including enabling recipients to "opt-out" of being contacted in the future.

The new law could have put a major crimp in Mutual of Omaha's plan to beef up its e-mail initiative. Instead, the new regulation proved to be a huge benefit. That's because Mutual of Omaha had already implemented most of the law's requirements long before it went into effect. What CAN-SPAM actually did was "weed out the 'bad actors' who ruin e-mail efforts by legitimate companies such as ours, says Thomas Graham, vice president, direct-to-consumer marketing for Mutual of Omaha.

"Spam e-mail also fatigues our customers who are sick of being overloaded with junk e-mail. So when they receive e-mails with CAN-SPAM in effect, they'll be more inclined to view them," he adds.

"On our end, we already had the law's requirements in place-such as having a relevant e-mail subject line and enabling recipients to opt-out. So it's not onerous for us to comply."

When Mutual of Omaha executives examined compliance responsibilities to the CAN-SPAM Act, they had no qualms about the law's requirements.

The company realized that most "spammers" would not comply with a law that would expose their impropriety. And, on the other end of the spectrum, the insurer had already established best practices that encompassed the law's key stipulations.

"We weren't very concerned about CAN-SPAM from the start," says Graham, who projects that this year Mutual of Omaha will sell less than 1,000 policies through the e-mail marketing campaign.

"We had accurate and valid header information that identifies us as the sender. We had complied with the stipulation that an e-mail sender must use subject headings that accurately describe the commercial purpose and content of the e-mail."

Mutual of Omaha also had designed its e-mail to enable recipients to remove their names from future e-mails, and provided a valid return e-mail address and a full physical postal address.

To remove names from e-mail lists if an individual requests to opt-out, Mutual of Omaha works with an independent broker.

Drag on operations

"The licensed agency controls the e-mail suppression duties for us," Graham says. "The opt-out is easy. If you put a flag next to a record and know how to read the flag, the name is suppressed the next time an offer is sent. A record is created that says, 'Don't talk to John Doe.'"

But CAN-SPAM might be regarded as an anomaly on the regulatory front for insurers and other industries. Indeed, many state and federal regulations-for all their good intentions-are still regarded as an imposition on a company's operations rather than an opportunity to improve the business.

Regulations such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley and the USA PATRIOT Act have insurers on tenterhooks as they attempt to fall in line.

Indeed, while CAN-SPAM is a breath of fresh air, many other regulations are a drag on day-to-day operations, according to industry sources.

"Over the past few years, there's been a ballooning of regulatory statutes, both on the state and federal level," says Gary Gummig, vice president of e-government for Okemos, Mich.-based Innovative IT Solutions.

For example, complying with state requirements for producer appointments and rate and form filings can be cumbersome for insurers, he says.

Gummig, who is the former CIO for Kansas City, Mo.-based National Association of Insurance Commissioners (NAIC), says it's not uncommon for insurers to annually renew all of their producers en masse rather than manually remove producers who should not be renewed.

Compliance as an opportunity

A troubling result of dealing with appointments this way is that some insurers renew producers who they later discover are deceased. "They are paying a price for having those names on their list," says Gummig.

Renewing appointments in one fell swoop doesn't have to occur this way, he says. Providers such as Innovative IT Solutions offer tools that enable insurers to comply with these regulations. But insurers also have to begin by adopting a mindset that regulatory compliance can be more than just a mandate.

To do that, "you need to meld these policies for regulatory compliance with your business and customer service strategies, and turn compliance into an opportunity," says Highmark's Romano.

In fact, Highmark, which has more than 23 million customers, annual revenues of $8 billion and is the sixth-largest Blue Cross Blue Shield Plan in the United States, turned its HIPAA privacy requirements into a means of streamlining customer service.

"When we put the system in place to comply with the privacy section of HIPAA, we designed it so our customer service systems are linked to the system that supports HIPAA compliance," explains Romano.

"Now that the databases have been integrated, customer service reps can get immediate access to customer records detailing the privacy requirements for personal data. So, not only are we complying with the privacy requirements, but our people can better serve customers," Romano says.

But this opportunity might be carried out in vain if insurers fail to recognize IT's role in the equation.

The ACORD survey found that although compliance officers generally have been assigned to manage the impact of regulatory demands, the industry is failing to fully embrace the business value of information technology when addressing regulatory requirements.

Compliance to CAN-SPAM, for instance, did not involve a lot of heavy lifting for Mutual of Omaha-and should not for other insurers-compared with other regulations for which systems integration is necessary to produce best-practices compliance.

"CAN-SPAM involves putting controls in place for e-mail transmissions, but it's a regulation that is more the responsibility of a company's marketing department, because it involves communication with customers," says Joseph Vignaly, senior director of industry solutions, for Symantec, a Cupertino, Calif.-based provider of information security software and services.

"IT has a role in compliance with CAN-SPAM, but marketing has to take the lead," he says. Overall, though, CAN-SPAM does not have as compelling an impact on insurers as other regulations."

Clamoring for tools

Other regulations beg for the implementation of technology, according to sources. "Everything we do has some degree of an IT stake involved," says Highmark's Romano.

Highmark budgeted $76 million to support its HIPAA compliance, which does not include resources to support the privacy requirements of the law.

"Our HIPAA director of information services says that complying with HIPAA is like working on an automobile engine while the car is running," says Romano. "HIPAA impacted about 80% of our electronic systems portfolio which translates to about 43 million lines of code, so it was a significant effort."

Carriers are in fact clamoring for tools to help them adhere to regulations, says Innovative IT Solutions' Gummig. "We have tools that enable them to manage state regulatory requirements in real time. When it comes to rate and form filings and producer appointments, the use of technology to establish a market profile for a company, and the use of checklists, scores and analysis are determining factors as to whether an insurer gets an on-site visit from a regulator," says Gumming. "Insurers want to be squeaky-clean from a data management standpoint."

"There has been a heightened awareness by insurers to get organized, get linked (with affiliates) and become well-aligned across all their functions," says Robert Nero, CEO for Innovative IT Solutions. Regulatory compliance is becoming a strategic issue rather than a service in organizations, he says.

But insurers have to be careful about the level of technology that goes into formulating a regulatory compliance strategy, experts say.

Relying too much on IT for regulatory compliance can "lead to a myopic technology-centric risk management strategy," according to URAC, a Washington, D.C.-based organization that promotes healthcare quality through accreditation and certification.

Issues to resolve

Organizations that made decisions outside IT had a "higher distribution of mitigation strategies . . . and lower overall costs related to compliance activities than those (that) implemented their security compliance strategies with an exclusive IT perspective," according to URAC.

At Highmark, Romano oversees compliance efforts across the various businesses. Each of these businesses has a compliance staff that handles regulations that affect only their line of business.

Highmark has developed a code of conduct that sits over all businesses and is implemented by Romano and an executive team, which meets on a monthly basis. The company has separate chief privacy and chief security officers who report to Romano.

Having a strong compliance officer in place can't be underestimated, experts say. Some compliance officers are not given the necessary authority to engage best-practices regulatory compliance-serving as more as figureheads in the corporate scheme.

"Many of them don't have carte blanche to put the IT programs in place to enhance their compliance efforts," states Gummig. "In many cases, they would have to quantify and prove to a CEO that spending money on a solution to maintain the producer appointment list on a regular basis can be justified. The compliance officer has a hard time stating a case for these investments if they can't prove it will yield results."

Insurers: CAN-SPAM Has All The Right Ingrediants

The makers of Spam canned lunch meat, Hormel Foods, Austin, Minn., have taken exception to the way their legendary product's name has been used to refer to junk e-mail.

So the ratification of the CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing), which went into effect January 1, had to come as a relief to Hormel executives. If the law works as effectively as many hope, spam e-mail may disappear-along with the ubiquitous reference to Hormel's product name.

CAN-SPAM was designed to prohibit companies from sending fraudulent e-mails, as well as transmitting e-mails after objections from recipients. Insurers say they are pleased with the law-both what was included and what was left out.

Specific stipulations of the law include:

E-mail must use accurate and valid header information that identifies the sender.

E-mail must have a domain name, originating e-mail address and destination.

E-mail must have subject headings that accurately describe its commercial purpose and content.

Recipients must be able to "opt out" of future e-mails. The sender must refrain from sending e-mail messages after the recipient requested not to receive any in the future.

Sender must provide a valid return e-mail address and a full physical postal address.

What was omitted from the law is also important to many insurers and other corporations. As the House and Senate examined the measure, a provision was considered that would have forced companies to put specific details in a subject line, according to Thomas Graham, vice president, direct to consumer marketing, for Omaha, Neb.-based Mutual of Omaha.For instance, it was discussed whether the subject line of an e-mail should include the phrase "Adult Content" if the offer that a company was marketing was being targeted to adults. "You could have imagined the potential problems: Some people would see 'Adult Content' and assume it was pornography, and delete the e-mail," says Graham.

This provision was stricken from the law-as was an attempt to provide a "Do Not E-mail" list. similar to the Do Not Call registry that governs telemarketing. The Federal Trade Commission helped defeat the "Do Not E-Mail" list mainly because people change e-mail addresses so often that it would have been extremely difficult to maintain an accurate list, says Graham.